Collaborations both a blessing and a curse for university cybersecurity
The threat of cyberattacks within the higher education industry has long been an issue. Pretty much from the introduction of the web into university life, the issue of security has been paramount given the valuable and highly personal nature of the data universities hold.
Everything from staff and students’ medical records, through to location and financial data is often stored within a university’s systems and has been a target of hackers for decades now.
But it is not just personal data that many hackers want to get their hands on. Universities have always been at the forefront of new research and ground-breaking inventions, and with the increase in university-industry collaboration, this is only becoming more prevalent.
While the benefits of such partnerships are undeniable, this rise of such collaborations is making universities more of a target for attack.
“As universities are partnering with commercial institutions to carry out research with potentially very sensitive implications – think pharmaceuticals or environmental/geopolitical – then their attraction for bad actors becomes greater and greater,” Chief Technical Officer of ITC Secure, Adrian Taylor, told Computer Business Review.
Leading research can attract the wrong kind of attention
Beyond personal data, hackers can now gain access to the intellectual property and latest research of today’s industry leaders and the innovators of tomorrow. And they’re trying their best to get their hands on it.
Iranian hackers have been running operations over the last year specifically targeting universities. Despite indictments from the US Department of Justice back in March 2018, an August report from Secureworks found the hackers – linked to the Iranian government – were continuing their work on a global scale.
The cybersecurity firm discovered a campaign targeting university students using 16 domains and more than 300 fake websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom and the US.
The campaign involved creating fake websites that resembled the login pages for each university.
Anyone who accidentally filled in their account name and passwords to the spoof login pages would have handed the group their credentials.
After filling in their details, victims would be automatically redirected to the legitimate website, so they were likely unaware they had fallen for the hack.
Security experts believe the sole aim of the criminals was to access unpublished research and the latest advances.
Following the indictment of nine of the hackers in March, US Attorney Geoffrey Berman said they had “targeted innovations and intellectual property from our country’s greatest minds.”
As universities increasingly become home to the most influential, potentially dangerous, world-changing advancements, this risk only stands to get worse.
Universities team up with government defence departments, leading tech companies, political policy departments, medical pioneers, and the next generation of entrepreneurs.
These connections mean the material they store is becoming more sensitive, more important, and, therefore, more desirable to malicious actors.
Universities are failing to protect themselves
With such sensitive material, the need to protect themselves has never been greater. But universities are failing, and not just a little bit, but pretty spectacularly.
According to a new study from Higher Education Policy Institute (HEPI) and Jisc, the institution that provides internet services to UK universities, “senior leaders are not taking the issue seriously enough.”
After carrying out penetration tests on the online infrastructure of over 50 UK universities, Jisc had “a 100 percent track record of gaining access to a higher education institution’s high-value data within two hours.”
HEPI called the results “alarming,” noting that only 15 percent of higher education IT and security staff believed their organisation was well protected.
A variety of reasons were given for the poor performance, including lack of dedicated staff and budget, and a lack of policies, suggesting those in power are not dedicating enough consideration and resources to the problem.
A prime example of this is the case of Greenwich University, who was fined £120,000 back in May for holding data on an unsecured server.
While such incidents don’t get the headlines other attacks on Britain’s National Health Service or Marriott Hotels get, it still has huge potential to cause personal, financial and reputational harm. Not to mention potential national security threats and significant loss in intellectual property if valuable material is stolen.
The solution lies close to home
While universities have become a key target for organised criminals and some unscrupulous nation states, they may also – ironically – be the saviours of security. Higher education and, in particular, its industry collaborations are also the origin of many of the most revolutionary advances in cybersecurity.
Ongoing examples include UMBC, Keio Research Institute (KRIS) in Japan, and Royal Holloway partnering in collaboration with Hitachi to investigate the use of common system simulation tools for modelling cybersecurity in critical national infrastructure, including information technology, public transit, and financial services.
Lancaster University, in collaboration with Quantum Base, is claiming their latest creation will make cyberattacks impossible. The invention of the first practical quantum random number generator will provide 100 percent provable quantum security for authentication and communication when integrated into microelectronic products.
These are just two of umpteen security-related collaborations happening right now globally. And the research and partnerships are only set to grow as cybersecurity steadily makes its way up the list of biggest global threats.
For universities, the very thing that makes them a target, could be what saves them.
“Ironically, of course, some of the most valuable research into cybersecurity comes from these self-same institutions,” Taylor of ITC Security said. “So it’s not as if they don’t have the skills or capabilities to secure their own estate.”